BTW: From the release notes:  Add the ability to configure the OCSP checks to soft-fail - i.e. if the responder cannot be contacted or fails to respond in a timely manner the OCSP check will not fail. (markt)  Add a configurable timeout to the writing of OCSP requests and reading of OCSP responses. (markt)  Add the ability to control the OCSP verification flags. (markt)
How can I configure the new settings? Or control the OCSP verification flags? Thanks again. > Am 15.01.2026 um 18:11 schrieb [email protected]: > > Hi all. > > I've compiled the newest version of tomcat native in my tomcat 9.0.113 docker > container. > > Now authentication with a client certificate fails. This has been working > fine with 1.3.1/2.0.9. > And the same setup still works with the JSSE connector. > > As I read in the release notes there have been changes in the verification of > OCSP responses. My assumption, as the certs and client have not changed, > would be that there is something missing or a bug. Maybe my certs are wrong, > but JSSE is not complaining... > > Is there anything I can try to debug or get more information within tomcat? > > Thank You > > Peter > > Find my logs and config below: > > ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert > chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key client.key > * Host tomcat.fritz.box:8843 was resolved. > * IPv6: (none) > * IPv4: 192.168.126.130 > * Trying 192.168.126.130:8843... > * ALPN: curl offers http/1.1 > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * SSL Trust Anchors: > * CAfile: chain.logopk.crt.pem > * TLSv1.3 (IN), TLS handshake, Server hello (2): > * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): > * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): > * TLSv1.3 (IN), TLS handshake, Request CERT (13): > * TLSv1.3 (IN), TLS handshake, Certificate (11): > * TLSv1.3 (IN), TLS handshake, CERT verify (15): > * TLSv1.3 (IN), TLS handshake, Finished (20): > * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): > * TLSv1.3 (OUT), TLS handshake, Certificate (11): > * TLSv1.3 (OUT), TLS handshake, CERT verify (15): > * TLSv1.3 (OUT), TLS handshake, Finished (20): > * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / > RSASSA-PSS > * ALPN: server accepted http/1.1 > * Server certificate: > * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; CN=tomcat.fritz.box > * start date: Jan 14 22:20:04 2026 GMT > * expire date: Apr 14 22:21:04 2026 GMT > * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA 2025; > emailAddress=logo@xxx > * Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed > using sha512WithRSAEncryption > * Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed > using sha512WithRSAEncryption > * subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box" > * SSL certificate verified via OpenSSL. > * Established connection to tomcat.fritz.box (192.168.126.130 port 8843) from > 192.168.126.1 port 54222 > * using HTTP/1.x >> GET / HTTP/1.1 >> Host: tomcat.fritz.box:8843 >> User-Agent: curl/8.18.0 >> Accept: */* >> > * Request completely sent off > * TLSv1.3 (IN), TLS alert, unknown CA (560): > * OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL routines::tlsv1 alert > unknown ca, errno 0 > * closing connection #0 > curl: (56) OpenSSL SSL_read: OpenSSL/3.6.0: error:0A000418:SSL > routines::tlsv1 alert unknown ca, errno 0 > > as comparison the same request with native 1.3.1: > > ▶ curl -v --http1.1 https://tomcat.fritz.box:8843 --cacert > chain.logopk.crt.pem --cert client.crt:xxx --cert-type PEM --key client.key > * Host tomcat.fritz.box:8843 was resolved. > * IPv6: (none) > * IPv4: 192.168.126.130 > * Trying 192.168.126.130:8843... > * ALPN: curl offers http/1.1 > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > * SSL Trust Anchors: > * CAfile: chain.logopk.crt.pem > > * TLSv1.3 (IN), TLS handshake, Server hello (2): > * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): > * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): > * TLSv1.3 (IN), TLS handshake, Request CERT (13): > * TLSv1.3 (IN), TLS handshake, Certificate (11): > * TLSv1.3 (IN), TLS handshake, CERT verify (15): > * TLSv1.3 (IN), TLS handshake, Finished (20): > * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): > * TLSv1.3 (OUT), TLS handshake, Certificate (11): > * TLSv1.3 (OUT), TLS handshake, CERT verify (15): > * TLSv1.3 (OUT), TLS handshake, Finished (20): > * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / > RSASSA-PSS > * ALPN: server accepted http/1.1 > * Server certificate: > * subject: C=DE; ST=Hessen; L=Dreieich; O=logo; OU=logo; CN=tomcat.fritz.box > * start date: Jan 14 22:20:04 2026 GMT > * expire date: Apr 14 22:21:04 2026 GMT > * issuer: C=DE; ST=Hessen; O=logo; OU=logo; CN=logo Intermediate CA 2025; > emailAddress=logo@xxx > * Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed > using sha512WithRSAEncryption > * Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed > using sha512WithRSAEncryption > * subjectAltName: "tomcat.fritz.box" matches cert's "tomcat.fritz.box" > * SSL certificate verified via OpenSSL. > * Established connection to tomcat.fritz.box (192.168.126.130 port 8843) from > 192.168.126.1 port 54529 > * using HTTP/1.x >> GET / HTTP/1.1 >> Host: tomcat.fritz.box:8843 >> User-Agent: curl/8.18.0 >> Accept: */* >> > * Request completely sent off > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): > < HTTP/1.1 200 > < Strict-Transport-Security: max-age=31536000 > < X-Frame-Options: DENY > < X-Content-Type-Options: nosniff > < X-XSS-Protection: 1; mode=block > < Content-Type: text/html;charset=ISO-8859-1 > < Content-Length: 16 > < Date: Thu, 15 Jan 2026 17:05:10 GMT > < Server: Apache Tomcat > < > > This is Tomcat > * Connection #0 to host tomcat.fritz.box:8843 left intact > > > > > > testssl.sh: > > Certificate Validity (UTC) 89 >= 60 days (2026-01-14 22:20 --> 2026-04-14 > 22:21) > ETS/"eTLS", visibility info not present > Certificate Revocation List http://crl.fritz.box:8881/step.crl.pem > OCSP URI http://ocsp.fritz.box:8889 > OCSP stapling not offered > OCSP must staple extension -- > > > <Connector port="8443" > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" > allowTrace="false" > maxThreads="150" > SSLEnabled="true" > compression="off" > scheme="https" > server="Apache Tomcat" > secure="true" > defaultSSLHostConfigName="${hostname:-docker.fritz.box}" > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > compression="on" /> > <SSLHostConfig > hostName="tomcat.fritz.box" > honorCipherOrder="true" > protocols="+TLSv1.2,+TLSv1.3" > certificateVerification="none" > > certificateRevocationListFile="${catalina.base}/conf/ssl/ca-bundle-client.crl" > truststoreFile="${catalina.base}/conf/ssl/cacerts.jks" > truststorePassword="changeit" > > ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" > > > <Certificate > certificateKeystoreFile="${catalina.base}/conf/ssl/tomcat.p12" > certificateKeystorePassword="changeit" > certificateKeyAlias="tomcat" > type="RSA" /> > </SSLHostConfig> > </Connector> > > <Connector port="8843" > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" > server="Apache Tomcat" > allowTrace="false" > maxThreads="150" > SSLEnabled="true" > defaultSSLHostConfigName="${hostname:-docker.fritz.box}" > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > compression="on" /> > <SSLHostConfig honorCipherOrder="true" insecureRenegotiation="false" > hostName="tomcat.fritz.box" > protocols="+TLSv1.2,+TLSv1.3" > certificateVerification="required" > > caCertificateFile="${catalina.base}/conf/ssl/chain.logopk.crt.pem" > disableCompression="true" > disableSessionTickets="true" > > ciphers="TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!kECDH:ECDH+AESGCM:ECDH+CHACHA20:!aNULL:!SHA1:!AESCCM" > > certificateRevocationListFile="${catalina.base}/conf/ssl/ca-bundle-client.crl"> > <Certificate certificateKeyFile="${catalina.base}/conf/ssl/tomcat.key" > certificateFile="${catalina.base}/conf/ssl/tomcat.crt" > > certificateChainFile="${catalina.base}/conf/ssl/int.logopk.crt.pem" > type="RSA" /> > </SSLHostConfig> > </Connector> > > > > > root@tomcat:/usr/local/tomcat# bin/version.sh > Using CATALINA_BASE: /opt/apache-tomcat.base > Using CATALINA_HOME: /usr/local/tomcat > Using CATALINA_TMPDIR: /opt/apache-tomcat.base/temp > Using JRE_HOME: /opt/java/openjdk > Using CLASSPATH: > /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar > Using CATALINA_OPTS: -XX:NativeMemoryTracking=summary > -Dhostname=docker3.fritz.box -Djava.awt.headless=true > -Djavax.net.ssl.trustStore=/opt/apache-tomcat.base/conf/ssl/cacerts.jks > -Xlog:gc:/opt/apache-tomcat.base/logs/gc.log > -Djava.security.egd=file:/dev/urandom -Dsun.net.inetaddr.ttl=60 > -Djava.library.path=/usr/local/tomcat/native-jni-lib > -Djdk.tls.ephemeralDHKeySize=2048 > -Djdk.tls.rejectClientInitiatedRenegotiation=true > -Djdk.tls.server.enableStatusRequestExtension=true > -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=10001 > -Dcom.sun.management.jmxremote.rmi.port=10002 > -Dcom.sun.management.jmxremote.authenticate=false > -Dcom.sun.management.jmxremote.ssl=false > -Djava.rmi.server.hostname=docker3.fritz.box > -Dcom.sun.management.jmxremote.local.only=false > -javaagent:/opt/apache-tomcat.base/bin/jmx_prometheus_javaagent-0.12.0.jar=8080:/opt/apache-tomcat.base/bin/tomcat.yaml > -XX:+UnlockDiagnosticVMOptions > NOTE: Picked up JDK_JAVA_OPTIONS: > --add-opens=java.base/java.lang=ALL-UNNAMED > --add-opens=java.base/java.lang.invoke=ALL-UNNAMED > --add-opens=java.base/java.lang.reflect=ALL-UNNAMED > --add-opens=java.base/java.io=ALL-UNNAMED > --add-opens=java.base/java.util=ALL-UNNAMED > --add-opens=java.base/java.util.concurrent=ALL-UNNAMED > --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED > Server version: Apache Tomcat/9.0.113 > Server built: Dec 2 2025 19:51:24 UTC > Server number: 9.0.113.0 > OS Name: Linux > OS Version: 6.12.57+deb13-arm64 > Architecture: aarch64 > JVM Version: 11.0.29+7 > JVM Vendor: Eclipse Adoptium > > root@tomcat:/usr/local/tomcat# openssl version > OpenSSL 3.5.4 30 Sep 2025 (Library: OpenSSL 3.5.4 30 Sep 2025) > > tomcat | 15-Jan-2026 14:45:10.675 INFO [main] > org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache > Tomcat Native library [1.3.4] using APR version [1.7.5]. > >
